b'          Review of Mainframe Access Controls at the Application Level\n\n                     Program Accounts Receivable System\n\n                      Report No. 04-09, September 9, 2004\n\n\n                                    INTRODUCTION\n\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) audit of the\neffectiveness of access controls in ensuring security over the Program Accounts\nReceivable (PAR) system, a component of the Railroad Retirement Board\xe2\x80\x99s (RRB)\nfinancial management application system.\n\nBackground\n\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad Retirement\nAct (RRA) and the Railroad Unemployment Insurance Act (RUIA). These programs\nprovide income protection during old age and in the event of disability, death, temporary\nunemployment or sickness. The RRB paid out nearly $9 billion in benefits during fiscal\nyear (FY) 2003.\n\nThe RRB\xe2\x80\x99s information system environment consists of two general support systems\nand seven major application systems. The two general support systems are the data\nprocessing system, which supports all mainframe computing activity, and the end-user\ncomputing system, which supports the agency\xe2\x80\x99s local and wide area networks. The\nmajor application systems correspond to the RRB\xe2\x80\x99s critical operational activities:\npayment of RRA and RUIA benefits, maintenance of compensation and service records,\nadministration of Medicare entitlement, financial management, personnel/payroll, and\nthe RRB\xe2\x80\x99s financial interchange with the Social Security Administration.\n\nThe agency\xe2\x80\x99s Chief Information Officer, who is also the director of the Bureau of\nInformation Services, has overall responsibility for administration of both data\nprocessing and end-user computing as well as in-house systems development. Within\nthe Bureau of Information Services, the Chief Security Officer has primary responsibility\nfor coordinating, evaluating and reporting on information security for the agency.\n\nThe PAR system is a mainframe application that supports debt recovery management\nand reporting for the RRA and RUIA programs. Access to the mainframe environment\nis password protected. The PAR system includes an additional system of security\nfunctions that controls user accesses, document approval processing procedures and\nlogging features.\n\nThe Bureau of Fiscal Operations is the owner-of-record for the PAR system and has\nresponsibility for system administration. The system administrator maintains the\nsecurity settings within the PAR system, including the access privileges of new and\nexisting users. The PAR system is also used extensively by Office of Programs\xe2\x80\x99\npersonnel which has responsibility for debt recognition and coordination of debt\n\n\n\n                                             1\n\n\x0crecovery and benefit payments. The RRB recognized approximately $90 million in new\nprogram debt during FY 2003.\n\nInformation security is defined as protecting information and information systems from\nunauthorized access, use, disclosure, disruption, modification or destruction in order to\nprovide integrity, confidentiality and availability. Access controls limit or detect access\nto computer resources (data, programs, equipment, and facilities), thereby protecting\nthese resources against unauthorized modification, loss, and disclosure. Previous OIG\nsecurity evaluations cited the agency with material weaknesses due to significant\ndeficiencies in access controls in both the mainframe and end-user computing\nenvironments and in the training provided to staff with significant security\nresponsibilities.\n\nThe Office of Management and Budget (OMB) has published guidance to assist Federal\nmanagers in meeting the management control and computer security requirements of\nthe Computer Security Act of 1987, the Chief Financial Officers Act of 1990, and the\nClinger-Cohen Act of 1996. OMB Circular A-130, \xe2\x80\x9cManagement of Federal Information\nResources,\xe2\x80\x9d Appendix III, dated November 30, 2000, establishes policy for the\nmanagement of Federal information resources and establishes a minimum set of\ncontrols to be included in Federal automated information security programs.\n\nThis evaluation was conducted pursuant to the E-Government Act of 2002 (P.L. 107-\n347), Title III, the Federal Information Security Management Act of 2002 (FISMA), which\nrequires annual Inspector General security evaluations.\n\nObjective, Scope and Methodology\n\nThe objective of this evaluation was to assess the effectiveness of access controls in\nlimiting and detecting access to the PAR system. In order to accomplish our objective,\nwe\n   \xe2\x80\xa2\t identified users of the PAR system as of December 2003 and documented their\n      system privileges;\n   \xe2\x80\xa2   obtained an understanding of the security configuration of the PAR system;\n   \xe2\x80\xa2\t obtained an understanding of the policies and procedures through which system\n      access is requested, authorized, granted and maintained;\n   \xe2\x80\xa2\t obtained an understanding of the access re-authorization process through\n      discussions with responsible management and staff, and reviews of supporting\n      documentation as available; and\n   \xe2\x80\xa2\t used statistical and non-statistical sampling to assess the effectiveness of\n      controls in limiting access to the PAR system.\n\nThe details of the sampling methodology and results are presented in Appendix I to this\nreport.\n\n\n\n                                             2\n\n\x0cOur work was performed in accordance with generally accepted government auditing\nstandards as applicable to the objective. Fieldwork was conducted at RRB\nheadquarters in Chicago, Illinois during December 2003 through May 2004.\n\n\n                                RESULTS OF REVIEW\n\n\nOur audit tests disclosed that access controls are not adequate to ensure that PAR\nsystem users are limited to the system privileges required for the performance of their\ncurrent job. In addition, we observed that PAR system features designed to ensure\naccountability for changes to certain security settings have not been implemented, and\nthat the approval settings that control transaction processing and data entry are not\nconsistent across programs.\n\nThe details of our findings and recommendations follow. Management has agreed to\ntake the recommended corrective action. The full text of the responses of the Bureaus\nof Information Services and Fiscal Operations are included in this report as appendices\nII and III respectively.\n\n\nControls Are Not Effective in Limiting Access to Requirements of Position\n\nThe RRB\xe2\x80\x99s existing control framework is not adequate to ensure that the access\nprivileges granted to users of the PAR system are limited to those required for\nperformance of their current job. Our conclusion is based on our evaluation of the\nsystem privileges of 115 system users who can process transactions and/or data which\nidentified 28 users (24%) whose privileges exceeded the requirements of their current\nposition.\n\nOMB Circular A-130 requires Federal agencies to limit a user\xe2\x80\x99s access (to data files,\nprocessing capability, or peripherals) or type of access (read, execute, delete) to the\nminimum necessary to perform his or her job. Current RRB policy calls for periodic\nsystem re-authorization reviews, an internal control process designed to identify\nchanges in user needs. During the re-authorization, supervisors have the opportunity to\nreview the current access privileges of their staff and identify any needed changes or\ncorrections.\n\nThe Bureau of Fiscal Operations, the system owner, is responsible for ensuring that re-\nauthorization reviews are scheduled and completed. The Bureau of Fiscal Operations\nhad not performed a re-authorization review for the PAR system since FY 1998; the\nreview scheduled for FY 2003 was not performed.\n\nAlthough a re-authorization review was performed during FY 2004, the information\nprovided to supervisors did not include sufficient detail about the specific privileges\ngranted to individual employees to provide a basis for re-authorization. In most cases,\nthe information about staff privileges included only the name of a pre-defined security\n\n\n\n                                           3\n\n\x0cprofile, but not the privileges associated with that profile. In some cases, the pre-\ndefined security profile had not been updated to modify user privileges when the\nresponsibilities of a job were changed.\n\nDuring the period of our review, the agency\xe2\x80\x99s Chief Security Officer, organizationally\nwithin the Bureau of Information Services\xe2\x80\x99 Risk Management Group, had not assumed\nany direct oversight responsibility for this process. The lack of effective procedures and\ncontrols to ensure that PAR system user accesses are limited to the requirements of\ntheir current job weakens the overall structure of information security.\n\nRecommendations\n\nWe recommend that:\n\n   1. \t The Bureau of Information Services implement a quality assurance program to\n        ensure the timeliness and effectiveness of the re-authorization process for the\n        PAR system. Such a process should include:\n\n          \xe2\x80\xa2   a review for completeness of documentation;\n          \xe2\x80\xa2   periodic testing to verify the effectiveness of the process;\n          \xe2\x80\xa2\t issuance of an annual report communicating to the Chief Information\n             Officer the results of the annual re-authorization process including an\n             objective assessment of its overall effectiveness.\n\n   2. \t The Bureau of Fiscal Operations, as the system owner, coordinate a review of\n        pre-defined security profiles to ensure that they properly reflect current job\n        requirements.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services concurs with the recommendation for\nimplementation of a quality assurance program and state that they have already\nsubmitted a personnel request to assign staff; however, due to limited resources, the\nimplementation of the program will be a multi-phased approach.\n\nThe Bureau of Fiscal Operations agrees that predefined security profiles for PAR\nsystem users should reflect their current job requirements and will conduct a review of\nPAR system security profiles.\n\n\nAccountability for Changes to Core Security Not Ensured\n\nExisting controls do not provide adequate accountability for changes to the PAR\nsystems\xe2\x80\x99 core security tables. As a result, the system audit trail is not adequate to\nidentify individuals who initiated changes to security settings.\n\n\n\n                                             4\n\n\x0cOMB Circular A-130 requires Federal information systems provide accountability.\nAccountability is defined as the existence of a record that permits the identification of an\nindividual who performed some specific activity so that responsibility for that activity\ncan be established. We would have expected to see an audit trail, in the form of\ntransaction logs, for changes to all core security tables to ensure accountability as well\nas separation of duties between those system users who initiate/approve changes to\nthe logs and agency personnel who review them.\n\nThe PAR system has the capability to provide accountability through the creation of logs\nthat capture date, time and initiator of changes to security tables. However, this feature\nhas not been implemented for the tables that control security within the PAR system.\n\nOnly PAR system administrators can initiate changes to system security settings. The\nsystem administrators also determine which changes will be logged. The need for\nlogging changes to core security tables was overlooked because of the small number of\nindividuals within the agency who can make such changes and the strong trust\nrelationship among them.\n\nRecommendation\n\nWe recommend that:\n\n    3. \t the Chief Security Officer work with the system administrator to determine which\n         security-related transactions should be logged, and identify the appropriate level\n         of management to receive and review the logs.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services concurs with the recommendation and has agreed\nthat the Chief Security Officer will work with the PAR system administrator to determine\nwhich security-related transactions should be logged and the appropriate level of\nmanagement to receive and review them.\n\n\nApprovals Settings Are Inconsistent and May Be Ineffective\n\nDocument approval requirements have not been established consistently among like\ntransactions. It is not clear whether the approval privileges, as granted to system users,\nare effective in achieving management\xe2\x80\x99s internal control objectives.\n\nTransactions, such as document approvals, should be executed in accordance with\nmanagement\xe2\x80\x99s directives.1 However, we observed that like transactions do not always\nrequire like approvals. For example, an RUIA debt can be established by any individual\nauthorized to enter billing documents, but an RRA billing document cannot be\n1\n  \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d General Accounting Office, November\n1999, GAO/AIMD-00-21.3.1\n\n\n                                                 5\n\n\x0cprocessed without an additional level of approval. In addition, approval privileges have\nbeen granted to many users so that most individuals who can enter an RRA billing\ndocument can also add the required additional approval.\n\nAs a result, the security settings for individual transactions within the PAR system imply\na level of control which, in reality, has not been achieved.\n\nRecommendation\n\nWe recommend that:\n\n   4. \t the Bureau of Fiscal Operations coordinate a review of the core security settings\n        to ensure that the configuration of document approvals and award of approval\n        privileges has properly implemented management\xe2\x80\x99s intentions with respect to\n        transaction processing.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Fiscal Operations agrees with the recommendation and will conduct a\nreview of the core security settings.\n\n\n\n\n                                            6\n\n\x0c                                                                             Appendix I\n                         Sampling Methodology and Results\n\nWe used statistical sampling to assess the effectiveness of controls designed to limit\nPAR system user access to those privileges required in performance of their assigned\nduties. Because more than 80% of PAR system users have been limited to \xe2\x80\x9cView Only\xe2\x80\x9d\naccess, we supplemented our sampling test with reviews of selected user groups who\nare able to process transactions or enter data.\n\nAudit Objective\n\nThe objective of our tests was to determine whether the agency has been effective in\nrestricting the privileges of users of the PAR system to only those required for their\ncurrent job.\n\nScope\n\nWe selected the sample from the population of 669 PAR System users as of December\n2003.\n\nReview Methodology\n\nAcceptance Sample\n\nWe used statistical acceptance sampling using a 95% confidence and 5% tolerable\nerror which directed a sample size of 145. The threshold for acceptance was three\nerrors. Three exceptions would permit the auditors to infer, with 95% confidence, that\ncontrols were adequate to ensure that no fewer than 95% of PAR system users had\nonly the access privileges required for performance of their current job.\n\nAny user who had privileges that exceeded the requirements of their current position\nwas counted as an exception.\n\nNon-Sampling Test\n\nWe reviewed the security profiles that granted privileges to the 115 system users who\ncan process transactions and/or input data. Based on an initial inspection of their\nprivileges and the auditor\xe2\x80\x99s knowledge of agency operations, we identified selected\nusers whose privileges appeared to be at highest risk of exceeding the needs of their\ncurrent job. We asked the system users and/or their supervisors to determine whether\nthe privileges granted were required by the responsibilities of their current position.\n\n\n\n\n                                            7\n\n\x0c                                                                             Appendix I\n                         Sampling Methodology and Results\nResults of Review\n\nRandom Sample\n\nOur evaluation of 145 randomly selected PAR user access profiles identified three users\nwhose access profile included privileges that were not required to perform current job\nresponsibilities.\n\nNon-Sampling Test\n\nAmong the 115 individuals who had been granted privileges other than \xe2\x80\x9cView Only,\xe2\x80\x9d we\nidentified 28 (24%) who had system privileges that were not required by their current\nposition.\n\nAudit Conclusion\n\nBased on our evaluation, the RRB has not achieved an adequate level of compliance\nwith least privilege principles. Our tests disclosed a high percentage of users who have\nthe ability to enter and/or modify system data but who do not need that access.\n\n\n\n\n                                           8\n\n\x0c\x0c\x0c\x0c'